Cyber risk and advisory programs that identify security gaps and build strategies to address them.
MDR that provides improved detection, 24/7 threat hunting, end-to-end coverage and most of all, complete Response.
Our team delivers the fastest response time in the industry. Threat suppression within just 4 hours of being engaged.
Visibility and response across your entire Microsoft security ecosystem.
XDR with Machine Learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Be protected by the best from Day 1.
24/7 Threat Investigation and Response.
Expert threat hunting, original research, and proactive threat intelligence.
TRU is foundational to our MDR service. No add-ons or additional costs required.
Stop ransomware attacks before they disrupt your business.
Detect and respond to zero-day exploits.
Protect against third-party and supply chain risk.
Adopt a risk-based approach to cybersecurity.
Protect your most sensitive data.
Meet cybersecurity regulatory compliance mandates.
Eliminate misconfigurations and policy violations.
Prevent business disruption by outsourcing MDR.
Meet insurability requirements with MDR.
Defend brute force attacks, active intrusions and unauthorized scans.
Safeguard endpoints 24/7 by isolating and mediating threats to prevent lateral spread.
Enhance investigation and threat detection across multi-cloud or hybrid environments.
Remediate critical misconfigurations, security vulnerabilities and policy violations across cloud and containerized environments.
Detect malicious insider and identity-based behavior leveraging machine learning models.
Our Threat Response Unit (TRU) publishes security advisories, blogs, reports, industry publications and webinars based on its original research and the insights driven through proactive threat hunts.
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company's mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
We believe a multi-signal approach is paramount to protecting your complete attack surface. See why eSentire MDR means multi-signal telemetry and complete response.
See how our 24/7 SOC Cyber Analysts and Elite Threat Hunters stop even the most advanced cyberattacks before they disrupt your business.
Choose the right mix of Managed Detection and Response, Exposure Management, and Incident Response services to strengthen your cyber resilience.
Try our interactive tools including the MITRE ATT&CK Tool, the SOC Pricing Calculator, the Cybersecurity Maturity Assessment, and our MDR ROI Calculator.
Read the latest security advisories, blogs, reports, industry publications and webinars published by eSentire's Threat Response Unit (TRU).
See why 2000+ organizations count on eSentire to build resilience and prevent business disruption.
On October 16th, 2023, Cisco issued an advisory about an actively exploited vulnerability in the web UI feature of Cisco IOS XE Software when exposed to untrusted networks or the internet.
Designated as CVE-2023-20198, with a maximum severity CVSS score of 10.0, this vulnerability permits remote attackers, without authentication, to establish an account on a compromised system with privilege level 15 access. The attacker can leverage this unauthorized account to seize control of the affected device. Additionally, it is probable that internet-exposed devices are compromised. Based on open-source analysis conducted by eSentire Threat Intelligence, implant strings were detected on just under 50% of exposed systems based on a review of 1000 exposed systems.
Cisco has clarified that there's no available workaround or patch for this flaw, as of October 17th, 2023, making the mitigation suggestion paramount to apply as soon as possible. Cisco strongly recommends that "customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the ‘no ip http server’ or ‘no ip http secure-server' command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature."
They've also noted indications of the system potentially being compromised, highlighting the seriousness of active exploitation in the wild. Additionally, eSentire TRU has identified exploitation in the wild dating back to at least October 12. Given the gravity of this exploit and the absence of any immediate patches, organizations must assess their exposure and take protective measures.
Cisco has identified an ongoing active exploitation of a previously undisclosed vulnerability in Cisco IOS XE software's Web User Interface (Web UI) feature (CVE-2023-20198). The vulnerability impacts physical and virtual devices running the Web UI software with the HTTP or HTTPS Server feature activated. The Web UI is bundled with the default image, implying that no extra licenses or setups are required for its activation. Upon successful exploitation, the intruder can fabricate an account with privilege level 15 on the compromised device, thus acquiring absolute control of the device and providing a foothold for further unauthorized activities.
Cisco's advisory to deactivate the HTTP server feature on systems, accessible via the Internet, is not just a best practice but also echoes the advisory guidelines previously provided by the U.S. government, emphasizing the risks associated with publicly accessible management interfaces.
The discovery of this vulnerability emerged from a collaborative effort between Cisco support centers and their security team. This collaboration identified unique indicators from a minuscule fraction of cases among the typically high daily case influx.
When this was published on October 17th, no proof-of-concept code was found to be publicly available for CVE-2023-20198. Given the severity of this vulnerability, adherence to the guidelines in Cisco's PSIRT advisory should be prioritized. Organizations, potentially impacted by this vulnerability, must promptly integrate the mitigation steps and perform retroactive sweeps to verify exploitation was not achieved.
Indicators of Compromise:
205.185.123[.]17 | IP Address |
162.33.177[.]204 | IP Address |
5.149.249[.]74 | IP Address |
154.53.56[.]231 | IP Address |
cisco_tac_admin | Username |
cisco_support | Username |
[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
[2] Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
[3] CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
[4] Shodan Search
[5] https://www.cisa.gov/news-events/news/website-security
[6] https://vulncheck.com/blog/cisco-implants